N/A

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

N/A

N/A

Apache Solr 安全漏洞

Apache Solr是美国阿帕奇（Apache）软件基金会的一款基于Lucene（一个全文检索引擎的架构）的搜索服务器，它支持层面搜索、垂直搜索、高亮显示搜索结果、多种输出格式等。 Apache Solr 5.3版本至5.5.4版本和6.0版本至6.5.1版本中存在安全漏洞。攻击者可利用该漏洞绕过安全限制，执行未授权的操作。

N/A

N/A